Part 1 — Overview
Publication date: 2018
About the OAIC
The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency within the Attorney-General’s portfolio, established under the Australian Information Commissioner Act 2010 (AIC Act).
Our key role is to meet the needs of the Australian community when it comes to the regulation of privacy and freedom of information. We do this by:
- Ensuring proper handling of personal information in accordance with the Privacy Act 1988 (Privacy Act) and other legislation
- Protecting the public’s right of access to documents under the Freedom of Information Act 1982 (FOI Act)
- Performing strategic functions relating to information management within the Australian Government, in accordance with the AIC Act
The OAIC is headed by the Australian Information Commissioner, a statutory officer appointed by the Governor-General under the AIC Act. The Commissioner has a range of powers and responsibilities outlined in the AIC Act, and exercises powers under the FOI Act, the Privacy Act and other legislation.
Timothy Pilgrim, PSM, was the Australian Information Commissioner and the Privacy Commissioner during the term of this annual report until his retirement on 23 March 2018. Angelene Falk was appointed as acting Australian Information Commissioner and acting Privacy Commissioner on 24 March 2018 and was appointed by the Governor-General as Australian Information Commissioner and Privacy Commissioner on 16 August 2018.
Our Purpose is to promote and uphold privacy and information access rights.
In the 2017–18 Corporate Plan we determined we would be successful if we:
- Assist businesses and Australian Government agencies to understand their privacy obligations and respect and protect the personal information that they handle
- Efficiently and effectively take action against suspected interferences with privacy to improve compliance with the Privacy Act 1988
- Assist the community to understand and feel confident to exercise their privacy and information access rights
- Assist Australian Government agencies to understand their FOI obligations and respect and promote access to government information
- Efficiently and effectively carry out our regulatory functions under the Freedom of Information Act 1982
This has been a year of great achievement, continuity and change for the OAIC.
On 23 March 2018 we said farewell to Timothy Pilgrim, who retired from the positions of Australian Information Commissioner and Privacy Commissioner after contributing so much to the privacy, FOI and information management landscape and who skilfully navigated the OAIC through considerable change. The achievements in this report reflect Timothy’s dedication and vision. Over more than 20 years Timothy upheld and promoted the values of privacy protection and access to government held information through his work.
I took over the roles as acting Australian Information Commissioner and acting Privacy Commissioner from 24 March 2018 and was appointed as Australian Information Commissioner and Privacy Commissioner on 16 August 2018 for a three year term.
My acting appointment coincided with a time of heightened community awareness of privacy, both domestic and global. Domestic and global regulatory developments are requiring greater transparency and accountability of personal information handling, and the community is increasingly expecting business and government to meet that challenge.
The European Union General Data Protection Regulation (GDPR) came into effect in May 2018, impacting Australian organisations that operate in the European market. Like Australia’s Notifiable Data Breaches (NDB) scheme and the Australian Government Agencies Privacy Code, the requirements concentrate on enhancing the accountability and transparency of personal information handling practices.
Increased community awareness is reflected in the demand for the OAIC’s services, with a general growth in work across the OAIC’s regulatory activities in both privacy and information access. We have also continued to create efficiencies and increase our productivity, while implementing a significant new area of work with the NDB scheme commencing on 22 February 2018. This is a testament to the OAIC’s ability to adapt and respond, and to the skill, commitment and dedication of staff. The NDB scheme requires all entities with obligations to secure personal information under the Privacy Act to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. Entities must also notify the OAIC.
The NDB scheme is a key transparency measure, reinforcing organisations’ accountability for personal information security. In the period to 30 June 2018 we received 305 data breach notifications under the NDB scheme and 174 voluntary notifications. By comparison, in the 2016–17 financial year, the OAIC received 114 voluntary data breach notifications.
We have established a framework to receive and respond to NDB notifications. We are releasing quarterly reports, which provide statistical information on notifiable data breaches occurring in Australia and the reasons why they happen. Understanding causes will help everyone to take steps to mitigate against occurrences in the future. We will also continually enhance our processes and build on the guidance we provide to organisations and agencies.
In 2017–18 the OAIC received 2,947 privacy complaints, an 18% increase on last year, and we closed 2,766, an 11% increase on privacy complaints closed compared to last financial year. We received 801 requests for Information Commissioner (IC) review under the Freedom of Information Act 1982 (FOI Act), a 27% increase on last year, and closed 610, an increase of 18% on 2016–17. Our team has handled 19,407 privacy enquiries and 1,931 freedom of information (FOI) enquiries, either in writing, by phone or in person. This represents an overall increase of 13% when compared to last financial year.
We continued to implement efficiencies in our regulatory activities to address these increases, and to work effectively within the resources available. The average time taken to close a privacy complaint was 3.7 months this year, compared to 4.7 months in 2016–17. Regarding FOI — notwithstanding the increase in the number of IC review applications received, we were able to finalise 84% within 12 months, exceeding our target of 80% completed within 12 months. The average time taken to close an IC review was 6.7 months, a slight increase on last year’s average time of 6.2 months.
Our advisory, guidance and monitoring expertise is also highly sought after. We provided more advice across government and the economy than ever before. We have also worked proactively to help agencies to prepare for the commencement of the Australian Government Agencies Privacy Code on 1 July 2018, including by providing detailed guidance, training and resources to support agencies to take a privacy by design approach to handling personal information. The Code will help ensure a consistent standard of personal information governance in Australian Government agencies.
Over the past 12 months there have also been a number of significant new proposals from government that impact the data landscape and the regulatory role of the OAIC. We have engaged with the proposed Consumer Data Right, helping to ensure that the legislative framework, standards and processes are designed in a way that support privacy and data security, for the benefit of all individuals who wish to use the scheme. The Australian Competition and Consumer Commission’s inquiry into digital platforms also raises issues of significant interest to the OAIC in regulating personal information handling in the online environment. We have also continued to engage with the Australian Government’s proposal to mandate comprehensive credit reporting, to ensure respect for privacy and an efficient credit reporting system. Ahead of that proposed change, we reviewed and varied the Privacy (Credit Reporting) Code 2014 (CR Code), a legislative instrument, which supports part IIIA of the Privacy Act which regulates the handling of consumer credit reporting information in Australia.
In relation to access to government held information, we have continued to assist Australian Government agencies to take a proactive approach to publishing the information that they hold. This year we conducted a survey of all agencies subject to the FOI Act, to review compliance with the Information Publication Scheme (IPS) set out in that Act. A report on this work will be published in 2018–19, complemented by updated guidance for agencies on providing administrative access outside of the FOI Act. We have also published an FOI regulatory action policy, which further outlines our approach to undertaking IC reviews, FOI complaints and Commissioner initiated FOI investigations.
And in work that traverses the OAIC’s information management, FOI and privacy functions, we continue to participate in the Open Government Forum, and our work on the development of Australia’s next Open Government National Action Plan will continue into 2018–19. We have also continued to engage with the Government’s response to the Productivity Commission’s Data Availability and Use report, to support the better use of government held information while protecting privacy.
The next 12 months will raise new challenges for privacy and access to information regulation. The OAIC continues to adapt and develop our capabilities in order to prevent, detect and remedy across a changing regulatory landscape. Working with our stakeholders across the economy, government and with domestic and international regulators will be critical to our success.
Looking back over the past year and to the future, it is the staff of the OAIC who are committed to delivering solutions for the Australian community every working day who make a difference. Ultimately it is their achievements that are outlined in this report.
Australian Information Commissioner and Privacy Commissioner
20 August 2018
Our year at a glance
The OAIC is headed by the Australian Information Commissioner, a statutory officer appointed by the Governor-General. The Commissioner has a range of powers and responsibilities outlined in the AIC Act, and exercises powers under the FOI Act, the Privacy Act and other privacy related legislation.
The Australian Information Commissioner exercises all functions under the AIC Act including all the privacy and FOI functions.
The Australian Information Commissioner is the agency head responsible for the strategic oversight and accountability for the agency’s regulatory, strategic, advisory and dispute resolution functions, as well as its financial and governance reporting.
Timothy Pilgrim was the Australian Information Commissioner and Australian Privacy Commissioner until his retirement on 23 March 2018. Angelene Falk was appointed as acting Australian Information Commissioner and acting Privacy Commissioner from 24 March 2018 and appointed by the Governor-General to the roles of Australian Information Commissioner and Privacy Commissioner on 16 August 2018.
Angelene has held senior positions in the OAIC since 2012. This includes her role as Deputy Commissioner since 2016.
Over the past decade, Angelene has worked extensively with Australian Government agencies, across the private sector and internationally, at the forefront of addressing regulatory challenges and opportunities presented by rapidly evolving technology and potential uses of data. Her experience extends across industries and subject matter, including data breach prevention and management, data sharing, credit reporting, digital health and access to information.
Angelene holds a Bachelor of Laws with Honours and a Bachelor of Arts from Monash University and a Diploma in Intellectual Property Law from Melbourne University.
Support to the Commissioner
The Commissioner is supported by an Executive team of three substantive SES positions, and staff who are experts in their field. The OAIC is structured into two main Branches — Dispute Resolution and Regulation and Strategy.
Generally, the Dispute Resolution Branch is responsible for case management and resolution of privacy complaints, FOI Information Commissioner reviews, Commissioner initiated privacy and FOI investigations and the public enquiries line. The Regulation and Strategy Branch provides guidance, examines and drafts submissions on proposed legislation, conducts assessments, and provides advice on inquiries and proposals that may have an impact on privacy.
Communication and collaboration
This year we used a variety of different channels to raise awareness about privacy and freedom of information, and engaged with businesses, government agencies and the Australian public.
This section contains highlights of some of these activities, with other activities outlined in section 2.
The OAIC hosts and participates in a number of domestic and international privacy networks which provide opportunities for organisations and other regulators to meet, collaborate and share expertise.
Privacy Professionals’ Network
The Privacy Professionals’ Network (PPN) has continued to grow this year, from 1,235 to 3,442 members. The engagement from PPN members is high, with the majority of PPN events run in 2017–18 fully subscribed. Approximately 70% of PPN members are from the private sector, with the remainder from the public sector and not-for-profit organisations. Members have the opportunity to hear from experts, listen to case studies, and network with other members at PPN events.
Information Contact Officer Network
The Information Contact Officer Network (ICON) provides news, updates and information about FOI. ICON has continued to engage its members with monthly updates and events. In 2017–18 ICON grew from 458 members to 538. We held an ICON information session in Canberra in March 2018, which explored ongoing and emerging challenges in FOI administration and included an expert panel discussion.
Consumer Privacy Network
The Consumer Privacy Network (CPN) helps the OAIC to further understand and respond to current privacy issues affecting consumers. Members are appointed for a two year period. Current members are:
- Australian Communications Consumer Action Network
- Australian Privacy Foundation
- Consumer Action Law Centre (CALC)
- Consumer Credit Law Centre SA (CCLCSA)
- Consumers Health Forum of Australia
- Electronic Frontiers Australia Inc
- Financial Rights Legal Centre Inc (NSW)
- Internet Australia
- Legal Aid NSW
- Legal Aid Queensland
- The Foundation of Young Australians
- National LGBTI Health Alliance
- Federation of Communities’ Councils of Australia
- National Mental Health Consumer and Carer Forum
Privacy Authorities Australia
Privacy Authorities Australia is a group of Australian privacy authorities that meets regularly to promote best practice and consistency of privacy policies and laws. Membership includes the OAIC and privacy representatives from other states and territories.
Asia Pacific Privacy Authorities
This is the principal forum for privacy authorities in the Asia-Pacific region to form partnerships and exchange ideas about privacy regulation, new technologies and the management of privacy enquiries and complaints.
Global Privacy Enforcement Network
The Global Privacy Enforcement Network (GPEN) is designed to facilitate cross-border cooperation in the enforcement of privacy laws. It builds on the Organisation for Economic Co-operation and Development’s (OECD’s) Recommendation on Privacy Law Enforcement Cooperation (2007), which recognised the need for greater cooperation between privacy enforcement authorities on cross-border privacy matters.
International Conference of Data Protection and Privacy Commissioners
The largest and longest standing network for data protection and privacy authorities, the International Conference of Data Protection and Privacy Commissioners brings together organisations from around the world to provide leadership at international level in data protection and privacy.
Asia-Pacific Economic Cooperation
The Asia-Pacific Economic Cooperation (APEC) administers a number of working groups including a working group focused on privacy, data transfers and digital interactions. We do not officially participate in any of APEC’s working groups, however, we monitor them regularly and assess the impacts on our operating landscape. We also regularly review opportunities to co-sponsor APEC projects and research. We have also adopted and are participants in the APEC Cross-border Privacy Enforcement Arrangement (CPEA).
Common Thread Network
This network brings together data protection and privacy authorities from Commonwealth countries.
Association of Information and Access Commissioners
This Australian/New Zealand network is for information access authorities who administer FOI legislation.
The International Conference of Information Commissioners
The international conference provides an opportunity for commissioners, practitioners and advocates to exchange ideas for the advancement of access to information.
This year, OAIC Executive members delivered more than 50 speeches to audiences from the public, private, community, health and education sectors.
We held two Privacy Professionals’ Network (PPN) events this year. Both events focused on educating businesses and agencies about the Notifiable Data Breaches (NDB) scheme and the European Union’s General Data Protection Regulation (GDPR). The first event was held in Adelaide. Co-hosted with Deloitte, this was the first in-person engagement with Adelaide based PPN members and provided an opportunity for members to talk directly to the OAIC. In March, the OAIC travelled to Brisbane to discuss the first few weeks of operation of the Notifiable Data Breaches scheme at a PPN event co-hosted by the OAIC and Ashurst.
As part of our commitment to assisting Australian Government agencies move towards a best practice approach to privacy governance, we also held an Australian Government Agencies Privacy Code seminar in Canberra. This event provided an overview of the requirements of the Code, and highlighted the range of resources available to support agencies. It was open to Australian Government agency staff at all levels.
47th Asia Pacific Privacy Authorities Forum
In July 2017, we hosted the 47th Asia Pacific Privacy Authorities (APPA) Forum at the International Convention Centre in Sydney. More than 45 representatives from 17 APPA member authorities attended the meeting. Chaired by the Australian Information and Privacy Commissioner, APPA members and invited guests discussed interoperability and identifying global and domestic synergies for regulatory guidance and enforcement activities in the Asia Pacific.
Key topics discussed over the two day meeting included de-identification, the European Union’s GDPR and data breach notifications. APPA members complimented the compelling agenda and content of the forum.
Data + Privacy Asia Pacific Conference
Immediately following the APPA Forum, we held a conference entitled Data + Privacy Asia Pacific. The conference was held to provide the Australian business community with the opportunity to hear from the region’s regulators and to broaden the conversation to incorporate data and privacy experts. There were 274 attendees. A highlight of the conference was the opening session on ethical data stewardship which brought together a rare panel of global expertise in data and ethics; Australia’s Dr Simon Longstaff, Executive Director of The Ethics Centre, was joined by Facebook Deputy Chief Privacy Officer, Rob Sherman, and leading academic, Peter Cullen from the Information Accountability Foundation. Feedback from attendees was overwhelmingly positive; the average rating for the overall event experience was 4.25/5.
Community outreach and engagement
We hosted a free public panel discussion at the University of Adelaide, which explored questions surrounding ethics, media and privacy, and a Queensland University of Technology debate which asked the question ‘Is privacy still relevant in the modern age?’. The University of Technology Sydney co-hosted ‘Privacy as a career’ event was oversubscribed, with law and IT students keen to hear from privacy and cyber security professionals.
An additional focus for this year was a series of ‘grass roots’ community engagement events. For example we exhibited at the Sydney Disability Expo, where information regarding access to health information was popular.
OAIC representatives spoke at the following international events:
- International Conference of Data Protection and Privacy Commissioners in Hong Kong
- International Conference of Information Commissioners in Manchester, England
- APPA 48 in Vancouver, Canada
- APPA 49 in San Francisco, United States
- GPEN workshop in Israel
Privacy Awareness Week 2018
Privacy Awareness Week (PAW) is an annual initiative of the Asia Pacific Privacy Authorities forum. It is held every year to promote and raise awareness of privacy issues and the importance of protecting personal information.
In 2018, PAW ran from 13 to 19 May, promoting the theme ‘Privacy: from principles to practice’. The theme encouraged organisations to ensure that privacy protection is part of their everyday business. This message was supported by a digital campaign that directed businesses, agencies and consumers to useful resources and the PAW website.
Tied into the PAW activities was the recognition of 30 years of the Australian Privacy Act. Communications focused on highlighting the evolution of the Act, along with technology and culture, through comparison social icons and a ‘30 years of the Privacy Act’ timeline.
Throughout PAW, an innovative program of events allowed us to engage with a variety of sectors and the community. These events included a sold out business breakfast, attended by 154 representatives from business and government, and a community engagement event, where more than 1,000 commuters were informed about the importance of knowing their credit history. The week was supported by 360 ‘supPAWters’, who signed up to promote the importance of good privacy practice to their consumers and internally.
The success of PAW resulted in:
‘As we reflect on this 30th anniversary of the Australian Privacy Act, it’s clear that the significant role privacy and data protection plays in businesses, government agencies, and for individuals, has rapidly evolved in just a few short decades. In 2018, privacy and data protection must be a central part of the way you do business.’Angelene Falk, then acting Australian Information Commissioner and acting Privacy Commissioner, in her opening speech for the Privacy Awareness Week 2018 Business Breakfast.
We hosted a webinar on 21 November 2017 to help agencies and business to prepare for the commencement of the NDB scheme. Around 1,170 people viewed or listened to the webinar live. This included registrants from 10 countries, as well as Australia. The webinar is available on our website and as at 30 June 2018 had been viewed more than 2,000 times.
Another webinar was held on 15 May 2018 to launch our new new interactive Privacy Management Plan tool for Australian Government Agencies. We had 206 registrations for this event. The webinar is available to view on our website.
This year has seen a significant increase in community and media attention around our work, privacy and FOI. Privacy is increasingly of interest to Australian consumers and communities, and several high profile privacy incidents have prompted Australians to reflect on how their information is handled.
In 2017–18 we continued to adopt a strategic and proactive approach to disseminating information and raising awareness, resulting in a strong media presence across a variety of channels.
Media enquiries increased by 24% (317 in 2017–18 compared to 255 in 2016–17). These have been from a mixture of mainstream, business and digital publications.
#dataprivacy17 trended as high as number two during the Data + Privacy Asia Pacific conference in July 2017.
#2018PAW trended to number one on the launch of Privacy Awareness Week 2018.
Raised awareness of the Notifiable Data Breaches scheme with an estimated 428,000 Australians, through a paid Facebook consumer campaign.
Long text descriptions
Privacy highlights desc
We received 18% more privacy complaints — in 2017-18, there were 2,947 total privacy complaints, compared to 2,495 in 2016-17.
During the year, the majority of complaints came from the following sectors:
- Finance (including superannuation): 14%
- Health service providers: 11%
- Australian Government: 10%
- Telecommunications: 8%
- Credit reporting bodies: 6%
- Retail: 5%
We finalised 11% more privacy complaints — in 2017–18, we finalised 2,766 total privacy complaints, compared to 2,485 in 2016–17. In 2017–18, the average time taken to finalise a complaint was 3.7 months, compared to the time taken last year of 4.7 months.
In 2017–18, 97% of all privacy complaints were finalised within 12 months of receipt. In 2016–17, 95% of all privacy complaints were finalised within 12 months of receipt.
We handled 19,407 privacy enquiries which is a 16% increase on last year. They were:
- Phone enquiries: 14,928
- Written enquiries: 4,452
- In person: 27
We received 305 mandatory data breach notifications under the Notifiable Data Breaches (NDB) scheme, which came into efffect on 22 February 2018. 99% of notifications under the NDB scheme were finalised within 60 days.
FOI highlights desc
We received 801 applications for Information Commissioner reviews of FOI requests. This is a 27% increase over 2016-17. We had 801 in 2017–18 and 633 in 2016–17. In 2016–17 we finalised 86% of applications for an Information Commissioner review within 12 months of receipt.
The top five agencies involved in Information Commissioner reviews were:
- Department of Home Affairs: 154
- Department of Human Services: 119
- Australian Federal Police: 54
- Department of Defence: 39
- Australian Taxation Office: 28
We finalised 18% more Information Commissioner reviews. In 2017–18, there were 610 finalised compared to 515 in 2016–17.
In 2017–18, the average time taken to finalise an Information Commissioner review was 6.7 months, compared to the time taken last year of 6.2 months.
We handled 1,931 FOI enquiries which is a 6% decrease on last year. They were:
- Phone enquiries: 1,339
- Written enquiries: 584
- In person: 8
We received 72% more FOI complaints. There were 62 in 2017–18, compared to 36 in 2016–17.
The average time taken to finalise a complaint was 5..8 months, compared to 3 months in 2016–17. 83% of all FOI complaints were finalised within 12 months of receipt compared to 100% in 2016–17.